DNS, in case you don’t know, is how your device finds a website’s IP address when you type a web address in the URL bar. For example, gmail.com can be found at 142.250.72.101, one of gmail.com’s many IP addresses. (If you go directly to one of its IP address though, it’ll send you to Google instead.) DNS, the Domain Name System, is the internet’s infrastructure that allows your device to figure that out.
DNS Hijacking, also called DNS Spoofing, is what happens when you type gmail.com in the address bar but you don’t go to one of its IP addresses, and end up somewhere else instead, like maybe a hacker’s IP address at 1.3.3.7.
See, in order for your device to figure out that gmail.com is at 142.250.72.101, it has to ask someone on the internet what gmail.com’s IP address is. That someone (or something, rather) is a server called a DNS resolver.
Most people don’t know about DNS resolvers and don’t think about DNS, so which DNS resolver they end up asking IP addresses from usually gets decided like this:
- Their device uses the defaut DNS settings of their operating system
- Their operating system by default uses the DNS resolver assigned by the network router
- And the network router by default uses the DNS resolver of the ISP providing the internet connection
So if you’re at home and your internet connection is from AT&T, then by default you’re using AT&T’s DNS resolver at 68.94.156.1. If you’re at work and your company internet connection is provided by Verizon, then by default you’re using one of Verizon’s DNS resolvers, like 8.237.161.14.
Now, nothing is wrong with this way of picking DNS resolvers whenever you’re on legitimate networks like when you’re at home or at work. The problem arises when you can’t trust the network you’re on, like with public Wi-Fi.
If you’re in a place with public Wi-Fi, like at an airport, there are several hundreds of Wi-Fi networks available to you. The airport’s Wi-Fi is probably legit, will use a legitimate ISP’s DNS resolver, and give you the real IP addresses of gmail.com. Thing is, are you sure you’re connected to the airport’s Wi-Fi, and not a hacker’s?
See, anybody can create a Wi-Fi network and name it anything. And if you’re on a hacker’s Wi-Fi network that just happens to be called “Totally Legit Airport Wi-Fi“, then you’re being man-in-the-middle attacked and, by default, using whatever DNS resolver the hacker tells you to use. Then when you try to go to gmail.com, his DNS resolver might give you a real IP address for gmail.com, or it might give you a fake one.
If he gives you a fake one, like 1.3.3.7, then your DNS has been hijacked.
There is an easy way to prevent this though: just use a VPN with a kill-switch on, as I discuss in this article.
In a web browser, there’s an even easier way to tell whether or not your DNS has been hijacked: make sure HTTPS is on by checking for the green padlock icon.